Review workflow secrets security

[josecelano]

@da2ce7 and I were discussing workflow secrets. We have to review them in order to avoid someone stealing the secrets.

I'm going to start the discussion with some useful links to read before going deep into the details.

LINKS

• GitHub docs: Implementing least privilege for secrets in GitHub Actions

• GitHub docs: Environment secrets.

• Using CODEOWNERS to monitor changes. You can use the CODEOWNERS feature to control how changes are made to your workflow files

• GitHub docs: Deployment branches.

• GitHub Community Forum: Limit secrets to specific branches

• branch-based-secrets GitHub Action. Dynamically use different secrets depending on the current branch the action is currently running on.

• Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests.

• Github Actions and the threat of malicious pull requests.

• Using Environment Protection Rules to Secure Secrets When Building External Forks with pull_request_target

• GitHub Actions & Security: Best practices

• Staroverflow question: How to Define Github Branch Specific Secret or an Alternative?.

• Blog post: Stealing arbitrary GitHub Actions secrets.

[josecelano]

List of secrets we are using:

Repository secrets:

• GPG_PRIVATE_KEY: a GPG key used only for testing purposes to sign commits on the test workflow.
• PASSPHRASE: passphrase for the previous GPG key.

Other secrets:

• GITHUB_TOKEN: used by megalinter and another action to create releases: ncipollo/release-action@v1

[josecelano]

I have changed the organization's default workflow permissions:

I think it will help us to have a more restricted approach and also to be more explicit in defining permissions for the workflows.

One of the test projects' workflow has failed:

Previous default permissions:

New default permissions:

I suppose we need to add the contents: write permission.

List of permissions.

[josecelano]

The problem was fixed by adding the "contents: write" permission to the workflow job.

update:
  runs-on: ubuntu-latest
  permissions:
    issues: write
    contents: write
  steps:
    - uses: actions/checkout@v2

[josecelano]

The other test project (library-consumer) has also failed, probably for the same reason.

[da2ce7]

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
https://securitylab.github.com/research/github-actions-untrusted-input/
https://securitylab.github.com/research/github-actions-building-blocks/

[josecelano]

I have installed the GitHub code scanning as described in the second part of the article and some security errors have been found.

[josecelano]

This is in general a list of nice-to-have things about security: https://bestpractices.coreinfrastructure.org/en/projects?q=git-queue

[josecelano]

@da2ce7 regarding not trusting third-party actions like for example the one used by MegaLinter, right now with the most restricted workflow permissions the MegaLinter workflow GITHUB_TOKEN would have these permissions:

• Contents: read
• Metadata: read

And it seems the workflow has only those permissions even if you execute it having write permissions with a local branch.

[josecelano]

Creating a PR from a fork shows this warning:

More info.